7 a.m.
Hi guys.
@devel perhaps could comment if it's Java among package
updates which breaks PKI ?
...
ipa-pki-wait-running: Connection failed:
HTTPConnectionPool(host='whale.mine.private', port=8080):
Max retries exceeded with url: /ca/admin/ca/getStatus
(Caused by
NewConnectionError('<urllib3.connection.HTTPConnection
object at 0x7f9c31d7ba60>: Failed to establish a new
connection: [Errno 111] Connection refused'))
WARNING: Some of the specified [protocols] are not supported
by the SSL engine and have been skipped: [[TLSv1, TLSv1.1]]
SEVERE: Error deploying deployment descriptor
[/etc/pki/pki-tomcat/Catalina/localhost/ca.xml]
java.lang.IllegalStateException: Error starting child
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:720)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:720)
at
org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140)
at
java.base/java.security.AccessController.doPrivileged(Native
Method)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:706)
...
...
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717)
... 41 more
Caused by: java.lang.UnsupportedClassVersionError:
netscape/ldap/LDAPException has been compiled by a more
recent version of the Java Runtime (class file version
61.0), this version of the Java Runtime only recognizes
class file versions up to 55.0
at java.base/java.lang.ClassLoader.defineClass1(Native
Method)
at
java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1017)
...
SEVERE: One or more listeners failed to start. Full details
will be found in the appropriate container log file
SEVERE: Context [/acme] startup failed due to previous errors
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by
org.apache.catalina.loader.WebappClassLoaderBase
(file:/usr/share/java/tomcat/catalina.jar) to field
java.io.ObjectStreamClass$Caches.localDescs
WARNING: Please consider reporting this to the maintainers
of org.apache.catalina.loader.WebappClassLoaderBase
WARNING: Use --illegal-access=warn to enable warnings of
further illegal reflective access operations
...
java-11-openjdk-devel-11.0.15.0.1-0.1.ea.el9.x86_64
ipa-server-4.9.8-6.el9.x86_64
or this is some issue irrespective of java?
many thanks, L.
7:58 a.m.
On ke, 20 huhti 2022, lejeczek via FreeIPA-users wrote:
Hi guys.
@devel perhaps could comment if it's Java among package updates which
breaks PKI ?
...
ipa-pki-wait-running: Connection failed:
HTTPConnectionPool(host='whale.mine.private', port=8080): Max retries
exceeded with url: /ca/admin/ca/getStatus (Caused by
NewConnectionError('<urllib3.connection.HTTPConnection object at
0x7f9c31d7ba60>: Failed to establish a new connection: [Errno 111]
Connection refused'))
WARNING: Some of the specified [protocols] are not supported by the
SSL engine and have been skipped: [[TLSv1, TLSv1.1]]
SEVERE: Error deploying deployment descriptor
[/etc/pki/pki-tomcat/Catalina/localhost/ca.xml]
java.lang.IllegalStateException: Error starting child
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:720)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:720)
at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150)
at
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140)
at java.base/java.security.AccessController.doPrivileged(Native
Method)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:706)
...
...
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717)
... 41 more
Caused by: java.lang.UnsupportedClassVersionError:
netscape/ldap/LDAPException has been compiled by a more recent version
of the Java Runtime (class file version 61.0), this version of the
Java Runtime only recognizes class file versions up to 55.0
at java.base/java.lang.ClassLoader.defineClass1(Native Method)
at
java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1017)
...
SEVERE: One or more listeners failed to start. Full details will be
found in the appropriate container log file
SEVERE: Context [/acme] startup failed due to previous errors
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by
org.apache.catalina.loader.WebappClassLoaderBase
(file:/usr/share/java/tomcat/catalina.jar) to field
java.io.ObjectStreamClass$Caches.localDescs
WARNING: Please consider reporting this to the maintainers of
org.apache.catalina.loader.WebappClassLoaderBase
WARNING: Use --illegal-access=warn to enable warnings of further
illegal reflective access operations
...
java-11-openjdk-devel-11.0.15.0.1-0.1.ea.el9.x86_64
ipa-server-4.9.8-6.el9.x86_64
or this is some issue irrespective of java?
It looks like some inconsistency between PKI and Java packages.
I also noticed you have a previous CentOS 9 Stream compose as ipa-server
4.9.8-8.el9 is now available. Perhaps, many packages were upgraded in it
as well and you might get a better chance?
Anyway, I asked PKI developers to check what's up with these different
bytecode versions.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
8:15 a.m.
On 20/04/2022 13:58, Alexander Bokovoy wrote:
On ke, 20 huhti 2022, lejeczek via FreeIPA-users wrote:
> Hi guys.
>
> @devel perhaps could comment if it's Java among package
> updates which breaks PKI ?
>
> ...
> ipa-pki-wait-running: Connection failed:
> HTTPConnectionPool(host='whale.mine.private', port=8080):
> Max retries exceeded with url: /ca/admin/ca/getStatus
> (Caused by
> NewConnectionError('<urllib3.connection.HTTPConnection
> object at 0x7f9c31d7ba60>: Failed to establish a new
> connection: [Errno 111] Connection refused'))
> WARNING: Some of the specified [protocols] are not
> supported by the SSL engine and have been skipped:
> [[TLSv1, TLSv1.1]]
> SEVERE: Error deploying deployment descriptor
> [/etc/pki/pki-tomcat/Catalina/localhost/ca.xml]
> java.lang.IllegalStateException: Error starting child
> at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:720)
>
> at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:720)
>
> at
> org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:129)
>
> at
>
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:150)
>
> at
>
org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:140)
>
> at
> java.base/java.security.AccessController.doPrivileged(Native
> Method)
> at
> org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:688)
>
>
> at
> org.apache.catalina.core.StandardHost.addChild(StandardHost.java:706)
>
>
> ...
> ...
> at
> org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:717)
>
> ... 41 more
> Caused by: java.lang.UnsupportedClassVersionError:
> netscape/ldap/LDAPException has been compiled by a more
> recent version of the Java Runtime (class file version
> 61.0), this version of the Java Runtime only recognizes
> class file versions up to 55.0
> at
> java.base/java.lang.ClassLoader.defineClass1(Native Method)
> at
> java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1017)
>
>
> ...
> SEVERE: One or more listeners failed to start. Full
> details will be found in the appropriate container log file
> SEVERE: Context [/acme] startup failed due to previous
> errors
> WARNING: An illegal reflective access operation has occurred
> WARNING: Illegal reflective access by
> org.apache.catalina.loader.WebappClassLoaderBase
> (file:/usr/share/java/tomcat/catalina.jar) to field
> java.io.ObjectStreamClass$Caches.localDescs
> WARNING: Please consider reporting this to the
> maintainers of
> org.apache.catalina.loader.WebappClassLoaderBase
> WARNING: Use --illegal-access=warn to enable warnings of
> further illegal reflective access operations
> ...
>
> java-11-openjdk-devel-11.0.15.0.1-0.1.ea.el9.x86_64
> ipa-server-4.9.8-6.el9.x86_64
>
> or this is some issue irrespective of java?
It looks like some inconsistency between PKI and Java
packages.
I also noticed you have a previous CentOS 9 Stream compose
as ipa-server
4.9.8-8.el9 is now available. Perhaps, many packages were
upgraded in it
as well and you might get a better chance?
sorry, wrong c&p from me, that 4.9.8-8.el9 went in along
with other updates, that was when PKI broke.
Anyway, I asked PKI developers to check what's up with
these different
bytecode versions.
9:02 a.m.
PKI packages require Java 17 in CentOS 9 Stream:
https://gitlab.com/redhat/centos-stream/rpms/pki-core/-/blob/c9s/pki-core....
What version(s) of java-*-openjdk-headless do you have? java-17-openjdk-headless should
have been pulled as a dependency when you pulled the PKI packages.
9:24 a.m.
On 20/04/2022 15:02, Chris Kelley via FreeIPA-users wrote:
PKI packages require Java 17 in CentOS 9 Stream:
https://gitlab.com/redhat/centos-stream/rpms/pki-core/-/blob/c9s/pki-core....
What version(s) of java-*-openjdk-headless do you have? java-17-openjdk-headless should
have been pulled as a dependency when you pulled the PKI packages.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
17 got an update as well:
java-17-openjdk-headless-17.0.3.0.5-0.1.ea.el9.x86_64
java-11-openjdk-headless-11.0.15.0.1-0.1.ea.el9.x86_64
thanks, L.
9:42 a.m.
Hi,
We're in the middle of updating PKI packages (jss, tomcatjss, ldapjdk,
pki-core).
The old one requires Java 11, but the new one requires Java 17. The problem
is
the pki-core update got stuck due to gating issues. Is it possible for you
to
downgrade the packages for now?
--
Endi S. Dewata
On Wed, Apr 20, 2022 at 9:24 AM lejeczek via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
On 20/04/2022 15:02, Chris Kelley via FreeIPA-users wrote:
> PKI packages require Java 17 in CentOS 9 Stream:
https://gitlab.com/redhat/centos-stream/rpms/pki-core/-/blob/c9s/pki-core...
.
>
> What version(s) of java-*-openjdk-headless do you have?
java-17-openjdk-headless should have been pulled as a dependency when you
pulled the PKI packages.
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>
17 got an update as well:
java-17-openjdk-headless-17.0.3.0.5-0.1.ea.el9.x86_64
java-11-openjdk-headless-11.0.15.0.1-0.1.ea.el9.x86_64
thanks, L.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
2:20 a.m.
On 20/04/2022 15:42, Endi Dewata wrote:
Hi,
We're in the middle of updating PKI packages (jss,
tomcatjss, ldapjdk, pki-core).
The old one requires Java 11, but the new one requires
Java 17. The problem is
the pki-core update got stuck due to gating issues. Is it
possible for you to
downgrade the packages for now?
--
Endi S. Dewata
On Wed, Apr 20, 2022 at 9:24 AM lejeczek via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
On 20/04/2022 15:02, Chris Kelley via FreeIPA-users wrote:
> PKI packages require Java 17 in CentOS 9 Stream:
https://gitlab.com/redhat/centos-stream/rpms/pki-core/-/blob/c9s/pki-core....
>
> What version(s) of java-*-openjdk-headless do you
have? java-17-openjdk-headless should have been pulled
as a dependency when you pulled the PKI packages.
> _______________________________________________
> FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
>
17 got an update as well:
java-17-openjdk-headless-17.0.3.0.5-0.1.ea.el9.x86_64
java-11-openjdk-headless-11.0.15.0.1-0.1.ea.el9.x86_64
thanks, L.
_______________________________________________
tried that but with ipa & java but still fails - pretty
messy case this is so encourage all involved devel to look
into it asap.
thanks, L
2:50 a.m.
On to, 21 huhti 2022, lejeczek via FreeIPA-users wrote:
On 20/04/2022 15:42, Endi Dewata wrote:
>Hi,
>
>We're in the middle of updating PKI packages (jss, tomcatjss,
>ldapjdk, pki-core).
>The old one requires Java 11, but the new one requires Java 17. The
>problem is
>the pki-core update got stuck due to gating issues. Is it possible
>for you to
>downgrade the packages for now?
>
>--
>Endi S. Dewata
>
>On Wed, Apr 20, 2022 at 9:24 AM lejeczek via FreeIPA-users
><freeipa-users(a)lists.fedorahosted.org> wrote:
>
>
>
> On 20/04/2022 15:02, Chris Kelley via FreeIPA-users wrote:
> > PKI packages require Java 17 in CentOS 9 Stream:
>
https://gitlab.com/redhat/centos-stream/rpms/pki-core/-/blob/c9s/pki-core....
> >
> > What version(s) of java-*-openjdk-headless do you
> have? java-17-openjdk-headless should have been pulled
> as a dependency when you pulled the PKI packages.
> > _______________________________________________
> > FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
> >
> 17 got an update as well:
>
> java-17-openjdk-headless-17.0.3.0.5-0.1.ea.el9.x86_64
> java-11-openjdk-headless-11.0.15.0.1-0.1.ea.el9.x86_64
>
> thanks, L.
> _______________________________________________
>
tried that but with ipa & java but still fails - pretty messy case
this is so encourage all involved devel to look into it asap.
As Endi said, they are looking at it. The cause is known but it takes
time to get through gating for all involved packages. There is also a
bit of lack of automation to prevent de-synchronized package composing.
Next time this style of rebase happens, we'd try to coordinate better.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
742
days inactive
743
days old
freeipa-users@lists.fedorahosted.org
7 comments
4 participants
participants (4)
-
Alexander Bokovoy -
Chris Kelley -
Endi Dewata -
lejeczek